RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1160348 - [RFE] firewalld should support ipsec vpns profiles/services
Summary: [RFE] firewalld should support ipsec vpns profiles/services
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: firewalld
Version: 8.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: rc
: 8.1
Assignee: Eric Garver
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On: 1367528 1682341
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-04 15:21 UTC by Peter Robinson
Modified: 2020-11-03 21:17 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-19 18:24:52 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Peter Robinson 2014-11-04 15:21:03 UTC 
firewalld is the supported mechanism in rhel-7 for managing all aspects of iptables/ebtables firewalls.

It doesn't appear to support libreswan IPSEC VPNs as supported in rhel-7:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html

There needs to be a number of options supported as outlined in the docs link above:
1) Host to Host
2) Site to Site (network to network) often with a requirement of connecting two sites over the internet where each site is NATed
3) Termination of "road warrior" end users

There's a number of standard ports that are used for IPSEC termination:
* IP protocol 50 for Encapsulated Security Protocol (ESP)
* IP protocol 51 for Authentication Header (AH)
* UDP port 500 for IKE Phase 1 negotiation and Phase 2 negotiations
* UDP ports 500 and 4500 are used, if NAT-T is used for IKE Phase 1 negotiation and Phase 2 negotiations

Not all of the above may be needed for all configurations.

The basic support to allow IPSEC connectivity between two hosts as specified above is not the only component that needs to be supported by firewalld. There also in the case of options 2/3 above it needs to be able to deal with NAT and pre/post routing of packets as they transverse the firewall to ensure packets going from one site network to the other site network or from the site network to the "road warrior" are encrypted and not NATed as appropriate.

A reasonable overview of the NAT issues is outlined in the following pages:
http://xmodulo.com/create-site-to-site-ipsec-vpn-tunnel-openswan-linux.html
http://www.mad-hacking.net/documentation/linux/networking/ipsec/static-vpn.xml

There are other considerations that may also need to be taken into account such as rp_filter/send_redirects/accept_redirects IP settings.
https://access.redhat.com/solutions/53031
Comment 2 Răzvan Sandu 2015-03-05 07:11:40 UTC 
Hello,


It is also rather difficult to support other kind of VPNs (userland), such as the mesh-capable tinc (http://www.tinc-vpn.org/) or OpenVPN.

The VPN-firewalld interaction is especially difficult on servers, where administrators will usually avoid using NetworkManager (physical Ethernet interfaces will have statically assigned addresses)

The main characteristics of these VPN tools is that they are launched lately in the initialization process (sometimes via a custom-made script launched from /etc/rc.d/rc.local, that will also set some custom static routes, etc.). For example, tinc's tun interface is dynamically created when starting the daemon; as a consequence, it has no corresponding /etc/sysconfig/networking-scripts/ifcfg-* file from which one may set the firewalld zone (ZONE=...)


Best regards,
Răzvan
Comment 3 Peter Robinson 2015-03-05 08:59:29 UTC 
> It is also rather difficult to support other kind of VPNs (userland), such
> as the mesh-capable tinc (http://www.tinc-vpn.org/) or OpenVPN.

Off topic, this is purely about IPSEC which is the only VPN mechanism currently supported in the core RHEL product. Please file another bug.

> The VPN-firewalld interaction is especially difficult on servers, where
> administrators will usually avoid using NetworkManager (physical Ethernet
> interfaces will have statically assigned addresses)

Actually with NM/firewalld these become easier to support as if done correctly the VPN server can send dbus messages to firewalld/NetworkManager to add/remote rules/routes, but this is again off topic for this BZ
Comment 7 Eric Garver 2018-11-16 18:52:01 UTC 
I'm bumping this to RHEL-8 as it depends on bug 1367528 which was also bumped to RHEL-8.
Comment 11 Eric Garver 2020-10-19 18:24:52 UTC 
This has been open for a long time and it's clear there is no plan to work on it. As such closing as WONTFIX. We can reopen if it becomes more important in the future.
Note You need to log in before you can comment on or make changes to this bug.